Analysis updated 2026-05-18
Intercept function calls in an Android app to inspect arguments and return values.
Study anti-cheat or anti-fraud protections without triggering memory-scanning detection.
Modify a function's return value or arguments at runtime for reverse engineering research.
| xiaojianbang8888/xiaojianbang-stealth-hook | freertos/freertos-smp-demos | nettitude/clr-stomp | |
|---|---|---|---|
| Stars | 68 | 68 | 72 |
| Language | C | C | C |
| Last pushed | — | 2025-02-16 | — |
| Maintenance | — | Stale | — |
| Setup difficulty | hard | moderate | hard |
| Complexity | 5/5 | 3/5 | 5/5 |
| Audience | researcher | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires a rooted Android device with a modified kernel via KernelPatch and APatch.
This project is an Android kernel-level hooking framework aimed at security researchers and reverse engineers. Hooking, in this context, means intercepting a function call inside a running app so you can observe what arguments were passed to it, what it returned, or change those values before the original function runs. This tool does that without modifying any memory inside the target process, which is what makes it unusual. Most existing hook tools (the README compares against several well-known ones) work by patching code inside the app's memory or injecting a shared library into the process. Anti-cheat and anti-fraud systems in apps can detect both of those approaches by scanning memory or checking for suspicious library mappings. This framework instead uses a CPU-level feature called hardware breakpoints, which are debug registers built into ARM64 processors. The hook is set up inside the kernel, not in the app's memory, so the app's own scanning code cannot see it. Using the tool requires a rooted Android device running a modified kernel environment called KernelPatch and APatch, which allows loading custom kernel modules. You push two files to the device: the kernel module (a .kpm file) and a command-line tool. From there you tell the tool which process to watch, which shared library inside it to target, and at what byte offset within that library the function starts. The tool then logs every call to that function in real time, showing register values and memory contents. You can also replace the return value, modify arguments before the function executes, or capture only a specific numbered call. The README is written primarily in Chinese. The project is licensed under GPL-2.0-or-later. The author maintains tutorials and technical articles on Bilibili (a Chinese video platform) and a paid knowledge community where full implementation details are published.
An Android kernel-level hooking framework that lets security researchers intercept and modify function calls inside apps using hardware breakpoints, without touching app memory.
Mainly C. The stack also includes C, Android kernel, ARM64.
You can use and modify the code, but any distributed derivative work must also be released under the same GPL license.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.